Blog
Demos, implementation guides, product updates and broader takes on authorization, identity and security. Written for the engineers, architects, security, identity and product leaders shaping how their teams ship and govern access.
It's a dimmer switch, not a kill switch. How CISOs are rethinking AI agent governance
AI agent drift needs more than a kill switch. CISOs and IAM leaders in regulated industries are moving to a dimmer switch model, fine-grained runtime authorization that narrows agent access without breaking the workflow, with a complete audit trail of every decision and policy change.
From maps to bitmaps (and from bitmaps to bitmaps)
Inside the Cerbos PDP performance rewrite that took authorization decisions from 43.8 µs to 6.6 µs. This post walks through three iterations of the rule table index, why roaring bitmaps weren't the right fit, and how a custom bitmap with a meta layer beat both the previous index and roaring.
AuthZEN, Shared Signals, SCIM Events, IPSIE: Notes from the OpenID Enterprise Panel
Notes from the OpenID Foundation enterprise panel on how Shared Signals, AuthZEN, SCIM Events and IPSIE fit as a stack, the missing reference architectures between specs, and where AI agents land against existing OAuth and OIDC primitives. With Atul Tulshibagwale, Mike Kiser, Dick Hardt and Alex Olivier.
IIW42 recap: Where agent authorization got real
IIW42 was the unconference where agent authorization stopped being theoretical. This recap covers what changed in agent identity, why the principal model is breaking, intent drift, the cross-trust-domain problem, and why identity matters more for accountability than for the policy decision itself.
Cerbos PDP v0.52.0/v0.53.0: Engine performance, security hardening, and CEL path functions
Cerbos PDP v0.52.0 and v0.53.0 bring engine performance optimizations, new CEL path functions, and tighter JWT security. This release recap covers faster decision generation, the new cerbosctl hub auth command, audit log version metadata, query plan scope fixes, and the OpenTelemetry Semantic Conventions 1.39.0 breaking change.
Authorization Management Platforms: what they do, how they work, and where they fit
Authorization Management Platforms. What an AMP actually does, the PAP, PDP, PEP, PIP and POP architecture, integration modes, and where the category fits alongside IGA, PAM, and access management in the identity stack.
PocketOS AI coding agent deleted a production database in 9 seconds
An AI coding agent on Cursor and Claude Opus 4.6 deleted PocketOS's production database in nine seconds, backups included. The fix isn't a smarter model. It's authorization that lives outside the agent. Here's what would have stopped it, and the authorization policy you can ship this week.
Non-Human Identity management still has a blind spot
Non-human identity management today focuses on discovery, inventory, and credential rotation. This guide covers why runtime authorization is the missing layer, how overprivileged NHIs create risk at scale, and how to enforce fine-grained, policy-based access control for every service-to-service request.
Supabase alternative in 2026: Best open source auth options
Compare open source Supabase Auth alternatives for authentication, identity, and authorization. See where SuperTokens, ZITADEL, Authentik, Keycloak, Hanko, and Cerbos PDP fit.
Benefits of on-premise authorization: Why enterprises are moving toward self-hosted
On-premise authorization gives security teams full control over policies, decision logs, and audit trails without data leaving the perimeter. This guide covers why regulated enterprises are moving to self-hosted, when cloud-hosted still makes sense, and what to look for in a deployment-flexible authorization platform.
Authorization policies: How to write, test, and validate them (faster with AI)
Writing authorization policies shouldn't take a week. This practical guide covers how to write, structure, and test authorization policies at enterprise scale, the common mistakes that ship security holes, and how to use an AI coding agent to draft full policy bundles while you handle the judgment calls.
Agent skill for writing authorization policies
Writing authorization policies from a blank file is slow. The Cerbos agent skill handles the drafting for you, asking clarifying questions in plain English before generating a full Cerbos policy bundle with schemas, roles, resource policies, and tests. Works with Claude Code, Cursor, Codex, and more.
Why centralized authorization governance reduces incident response time
Centralized authorization governance gives security leaders instant visibility into every access decision during a breach. This article covers why fragmented access control stalls incident response, how AI agents expand the authorization surface, CISO personal liability under SEC rules, and how to evaluate solutions.
OPA alternative
This article examines why Cerbos stands out as the best alternative to Styra and OPA for authorization needs. Comparison is based on policy language, deployment, performance, observability, DX and scalability.
Why AI agents make authorization a right now problem
AI agents don't create new vulnerabilities. They find the authorization ones you already had, faster and at scale. Why Gartner's new Authorization Management Platform category matters, what deterministic policy enforcement looks like, and how to close the gaps before the next model release finds them.
Modernizing legacy application authorization: why it’s your biggest security blind spot
Your legacy applications have the weakest authorization controls and the most sensitive data. Learn how security and identity teams can close the governance gap by adding policy-based authorization, compliance-ready audit trails, and context-aware access decisions at the gateway without modifying the application.
How to add authorization to legacy applications without code changes
Learn how to add authorization to legacy applications without modifying a single line of code. This guide covers the gateway pattern with Cerbos Synapse and Envoy, route-level policy enforcement, device posture checks, audit trail coverage, and a phased path from zero visibility to full authorization governance.
5 authorization blind spots auditors find, and how to fix them
A practical guide to the 5 authorization gaps that drive access control audit findings in regulated enterprises. Covers scattered authorization logic, proof of enforcement, role versus permission reviews, non-human identity governance, and AI agent authorization, with concrete steps to fix each one.
Recommended content
Mapping business requirements to authorization policy
eBook: Zero Trust for AI, securing MCP servers
Experiment, learn, and prototype with Cerbos Playground
eBook: How to adopt externalized authorization
Framework for evaluating authorization providers and solutions
